Blog

The Risks of Chatbot Data Breaches and Privacy Issues Made Clear

With the news that Data Airline is
filing a lawsuit against its chatbot provider, among endless IT
breaches and disasters, the reality is now starkly clear that
chatbots need to be secure and well-managed to protect the business
and customers.

The cloud is so easy and seductive,
sign up for a service, create something amazing and off you go. That
flexibility and access has been a huge boon, driving startups and
helping departments get ahead of their plodding IT departments.
However, in the charge to cool AI and chatbot products, or using the
cloud for storage and third-party solutions, the need for cast-iron
security becomes all the greater, and most businesses lack the
expertise to manage that facet.

This issue was brought to light by US
airline Delta
filing suit against [24]7ai,claiming it lacked the proper security procedures for
the product, allowing hackers to alter the chatbot’s source code.
And it also delayed admitting the breach to the airline, by some five
months. 247ai’s site has no mention of security beyond a front page
post about support
for GDPR, but the breach happened before that came
into force, and has limited impact on US businesses working with US
clients.

The case brings into focus the risk for
any business that decides it wants a chatbot or to operate an AI
service that stores customer data or personal details. The business
needs to understand where all that data resides, how it is protected
and who is responsible should there be an issue.

Looking for data trouble

One of the most popular tactics for
casual and more committed hackers is to search
Amazon AWS for open buckets of data, leading to a
weekly treasure trove of private, sometimes critical data that
businesses are leaving exposed. Reading through this and related news
pieces, like the Capital
One breach, highlights how serious the problem is.

Any business working with a chatbot
provider needs to know:

What data is stored?

Where it is kept?

Who has access to it?

Who is responsible for managing
it?

How long is the data stored for?

What identifiable data is kept?

How is security monitored and by
whom?

What steps are in place for a
breach?

The long
version for cloud security looks at access rights,
identification and other issues, all of which need to be addressed.
None of this is rocket science, and even a startup with limited
technical resources needs to ask the right questions, or check when
looking for services or partners for key information. As an example,
here is how the SnatchBot service manages bot security:

The end client’s
chatbot is hosted in the cloud by Amazon AWS. This provides
state-of-the-art security, which consists of network isolation via
Virtual Private Cloud; security groups; AWS IAM-based resource-level
role permission controls; encryption at rest using AWS KMS or
Oracle/Microsoft TDE; SSL protection for data in transit.

That doesn’t mean the data can never
be accessed in some way, but it reduces the risk hugely and should
act only as the starting point for your business discussion on
security and protecting customer data.

As chatbot and AI services become ever
more reliant on live data, there is also the risk of it being
intercepted en route using weaknesses in endpoints, which is why
encryption is vital. Or, even something as simple as a hacker
scraping/watching the screen of a customer as they type – something
that any bot cannot mitigate.

The key is to ensure the business and
provider are doing the best they can to protect data, and to be open
with customers about how they handle it and what the customers’
rights are. Failure to do so will add to the risk and if something
does go wrong will leave them responsible and liable, whatever the
fancy small print on a website.

Ultimately, security is a never-ending
battle, and just because cloud “looks easy” to the end user and
most businesses, there still needs to be a degree of knowledge about
security and responsibility among the business, either in-house or
using a third-party expert and service.

Chris Knight writes about where technology will take us next, from the power of neural networks, artificial intelligence and chatbots, to the endless worlds promised by augmented and virtual reality. From the latest in gadgets and hardware to how digital businesses can use technology to grow, Chris makes the future clear and understandable to all.

Continue Reading

Chris Knight writes about where technology will take us next, from the power of neural networks, artificial intelligence and chatbots, to the endless worlds promised by augmented and virtual reality. From the latest in gadgets and hardware to how digital businesses can use technology to grow, Chris makes the future clear and understandable to all.

Social Media

Write for Us

The Chatbot is an open and inclusive magazine. If you have an interesting experience to share or a view on the subjects we cover and if you write well, then we are very willing to post your feature.

Just make sure you tick all these boxes:

Your feature should be between 1500 and 2,000 words in length.

It must be original (i.e. your own work and not previously published elsewhere).

The article can contain up to five relevant links as references. If you want a link back to a company you are associated with, you may do so once and if it doesn’t make sense for that link to be in the body of the feature, you can place it with your signature.

We are much more interested in thoughtful pieces that inform or stimulate discussion than overt advertising.

Join the Community

Welcome to the magazine for everyone interested in the future of communications.

As part of the community, you’ll get the chance to shape the magazine. Our front page is informed by the number of upvotes the various features get from registered users. And as a member of the community, you can leave comments.

Also, if you would like our latest content delivered straight to your inbox or content filtered by subject, then just click below. Community membership is free and always will be.

This site uses functional cookies and external scripts to improve your experience.

Privacy Settings

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. In case of activation of the IP anonymization, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA. On behalf of the website provider Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en-GB.